Entry Point Obscuration

On infection, the first 327 bytes from the file's entry point are overwritten with
deobfuscation code. If the user executes the infected file, Sality.AA restores the
original entry point code and launches the program in order to mask its presence.

Registry

When run, Sality.AA creates a mutex to ensure only one instance is running. It then
modifies a large range of registry entries. The virus attempts to disable processes
and services containing strings related to major antivirus software.

Network Connection

The malware connects to the following website to verify an Internet connection :

https://www.microsoft.com

The malware may connect to the following sites to download and execute additional
malware :

https://kukutrustnet777.info/[...].gif

https://kukutrustnet888.info/[...].gif

https://kukutrustnet987.info/[...].gif

https://www.musikrajt.sk/[...].gif

https://macedonia.my1.ru/[...].gif

https://jrsx.jre.net.cn/[...].gif

https://www.musikrajt.wz.cz/[...].gif

https://www.solidarnosc.org.pl/lublin/[...].gif

https://gotcha.goldeye.info/[...].gif

Downloaded files are encrypted. They are unencrypted by the malware to the %temp%
folder and executed.